2 Input size validation is good, but not enough … Need to also validate “type” of input.Just validating the size isn’t enough!!Examples (next): SQL injection, HTTP parameter tampering, Cross Site Scripting attack.
3 The rest of this lecture is not from the textbook. Please take notes.
4 Next: SQL injection attack Next: SQL injection attack. Before that: Everything we need to know for the moment about SQLConsider a University database that maintains information about every student such as:their id, major, the specific concentrations in their major, the core courses of their concentration etc…This information can be organized into multiple tables. E.g.,studentTable can contain the columns: student name, SSN, major, courses takenmajorTable can contain the columns: information about the major, and different concentrations in the major.concentrations table can contain columns such as concentration name, core courses, electives credit hour requirement etc.Database Management Systems (such as Oracle) provide a language that allows users to create or update such tables and query the tables.
5 Everything we need to know for the moment about SQL (2) SQL (Structured query language).It is the language used to query relational databases such as Oracle.It falls under a class of programming languages called Domain Specific Languages (DSL).How is a DSL different from a generic high-level programming language such as Java?As the name suggests DSLs are programming languages very specific to a domain, e.g., databases (or) programming routers.Some of the things you can do with SQLCreate tables in a database. E.g., creating a student table and a concentrationQuery tables (multiple tables at a time) to extract information.E.g. What are the core courses a student Xunil must take?This involves querying two tables: student table and concentration table.
26 To understand this attack, we need to know the HTTP protocol. HTTP basics.To understand this attack, we need to know the HTTP protocol.HTTP protocol supports two messages:GET allows you to download webpagesPUT allows you to upload data/webpages.
29 HTML input fieldsSome HTML causes the browser to generate input forms (pull-downs, checkboxes, text boxes…)Example: a sample formWhen user presses "submit", it's just like requesting another web page, except that the input fields are included in the http header.
30 A user can 'show-source' to see the HTML the browser gets. Forging input fieldsA user can 'show-source' to see the HTML the browser gets.We can save-as, edit the file, and then submit w/ bad data!Solutions? Validate the data server-side, too.
43 HTML Injection attackIn HTML, angle-brackets don't represent text; they represent the structure of the text (e.g. where paragraphs start/end, what text is a header, etc.).If a browser, when receiving a string of HTML, sees a '<' it knows to treat that as a tag, not as text.
44 HTML Injection attack 2A server might often create a page containing "<p>Hello, $name, how are you?</p>" where $name was taken from previous user input.What characters might be inside $name, that would confuse the browser?Try this form.
45 HTML Sanitization(Recall: this is the same problem where user-input was spliced into strings that then were used as SQL queries.)If you want a browser to display a less-than symbol as text, you want to use "<" instead of "<".
46 The function sanitizeHTML just replaces each '<' with "<", etc. HTML Sanitization 2Solution: replace any chars that would represents HTML structure, with a string that represents HTML data:$nameAsHTMLData = sanitizeHTML($name);echo "Hello, $nameAsHTMLData, how are you?</p>";The function sanitizeHTML just replaces each '<' with "<", etc.
49 ToolsThere are some good tools that will allow you to achieve this attack without going through the preceding steps:WebScarabThis is a web proxy – that you can run on any machine.It simply intercepts all the requests from your browser as well as the responses that your browser gets.Provides controls to edit HTML fields etc.In upcoming HW, you will be using WebScarab.
50 Other type of Application level attacks Race conditions
51 Race Condition attacks Client: checks file attributesClient: verify the user could write file XClient: Write file (as root, on behalf of the authorized user)Attacker: changes file permissions in the window between client's checking and useAttacker deletes file(name) XCreates symbolic link from X to privileged file (e.g. /etc/passwd)This requires only directory-write privilegesAttack as a result of interaction between multiple processes.
52 Why synchronization is necessary ? Reason 2: Security Example attack: Race condition attacksSome programs such as gcc/g++ create temporary filesThey assume that the temporary file hasn’t changed from the time of creation till they time they write.Hence, there is a small time window, which can be used by attackers (see figure below).Called a race condition because two processes (gcc is one, the attacker’s process is the other) are racing to access the same resource.Check if user can write file XWrite file XAttacker deletes XCreates symbolic link to privileged fileCreate temporaryFile XDelete or writefile X